Controlling access to IBM App Connect Enterprise
There are several factors to consider when you are deciding which users can execute App Connect Enterprise commands, and which users can control security for your resources.
About this task
Although most security for App Connect Enterprise and its resources is optional, you might find it appropriate to restrict the tasks that some user IDs can perform. You can then apply greater control to monitor changes.
You can control all IBM® App Connect Enterprise administration tasks by enabling administration security. You can enable administration security and specify the authorization mode, either by setting the adminSecurity and authMode properties in the node.conf.yaml configuration file for the integration node, or by using the mqsichangeauthmode command. This task is described in Enabling administration security, and is independent of the tasks described in this section.
When you are deciding which users are to perform the different tasks, consider the following steps:
Procedure
Deciding which user account to use for the integration node service ID
About this task
On a Linux or UNIX operating system, when you run the mqsistart command with a user ID that is a member of the mqm and mqbrkrs groups, the user ID under which you run the mqsistart command becomes the user ID under which the integration node process runs.
On the Windows platform, the integration node runs under a service user account. To decide which user ID to use for the service ID, answer the following questions:
Procedure
Results
Note that for cases one and two above, the user
ID chosen must be granted the Logon as a service
privilege.
This is normally done automatically by the mqsichangeproperties command when a service user ID is specified that does not have this privilege.
However, if you want to do this manually before running these commands, you can do this by using the Local Security Policy tool in Windows, which you can access by selecting .
Setting security on the integration node
About this task
If you are using the queue-based authorization mode for the integration node (mq mode), the local mqbrkrs group is granted access to internal queues whose names begin with the characters SYSTEM.BROKER. If you are using the file-based authorization mode, the local mqbrkrs group is granted read, write, and execute permissions on the integration node for running local mqsi commands. Ensure that user IDs requiring these permissions are members of the mqbrkrs group.
Securing the integration node registry
About this task
Integration node operation depends
on the information in the integration node registry, which you must
secure to guard against accidental corruption. The integration node
registry is stored on the file system under the work path directory,
which is specified by the MQSI_WORKPATH environment variable. Set
your operating system security options so that only user IDs that
are members of the group mqbrkrs can
read from or write to integrationNodeName/CurrentVersion
and
all subkeys.